Configuring SSL for HBase

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Before You Begin

  • Before enabling SSL, ensure that keystores containing certificates bound to the appropriate domain names will need to be accessible on all hosts on which at least one HBase daemon role is running.
  • Keystores for HBase must be owned by the hbase group, and have permissions 0440 (that is, readable by owner and group).
  • You must specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the HBase service run. Therefore, the paths you choose must be valid on all hosts.
  • Cloudera Manager supports the SSL configuration for HBase at the service level. Ensure you specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the service in question run. Therefore, the paths you choose must be valid on all hosts.

    An implication of this is that the keystore file names for a given service must be the same on all hosts. If, for example, you have obtained separate certificates for HBase daemons on hosts node1.example.com and node2.example.com, you might have chosen to store these certificates in files called hbase-node1.keystore and hbase-node2.keystore (respectively). When deploying these keystores, you must give them both the same name on the target host — for example, hbase.keystore.

Procedure

The steps for configuring and enabling SSL for HBase are similar to those for HDFS, YARN and MapReduce:
  1. Navigate to the HBase service and click Configuration.
  2. In the Search field, type SSL to show the HBase SSL properties (found under the Service-Wide > Security category).
  3. Edit the following SSL properties according to your cluster configuration:
    HBase SSL Properties
    Property Description
    SSL Server Keystore File Location Path to the keystore file containing the server certificate and private key.
    SSL Server Keystore File Password Password for the server keystore file.
    SSL Server Keystore Key Password Password that protects the private key contained in the server keystore.
  4. Check the Web UI SSL Encryption Enabled property.
    Web UI SSL Encryption Enabled Enable SSL encryption for the HBase Master, Region Server, Thrift Server, and REST Server web UIs.
  5. Click Save Changes.
  6. Restart the HBase service.